openembedded-core.git/meta/recipes-devtools/squashfs-tools, branch denzil Mirror of openembedded-core squashfs: fix CVE-2012-4025 2012-12-27T23:42:39+00:00 yanjun.zhu yanjun.zhu@windriver.com 2012-12-11T10:00:32+00:00 e6fddd1961061895e9335fa94b636163efdc9caa CQID:WIND00366813 Reference: http://squashfs.git.sourceforge.net/git/gitweb.cgi? p=squashfs/squashfs;a=patch;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e Integer overflow in the queue_init function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted block_log field in the superblock of a .sqsh file, leading to a heap-based buffer overflow. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025 Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> [YOCTO #3564] Signed-off-by: Saul Wold <sgw@linux.intel.com> 
CQID:WIND00366813

Reference: http://squashfs.git.sourceforge.net/git/gitweb.cgi?
p=squashfs/squashfs;a=patch;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e

Integer overflow in the queue_init function in unsquashfs.c in
unsquashfs in Squashfs 4.2 and earlier allows remote attackers
to execute arbitrary code via a crafted block_log field in the
superblock of a .sqsh file, leading to a heap-based buffer overflow.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025

Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>

[YOCTO #3564]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
squashfs: fix for CVE-2012-4024 2012-11-30T22:51:10+00:00 yanjun.zhu yanjun.zhu@windriver.com 2012-11-30T11:41:23+00:00 d35560f33f257bd12a07c7c0be770319086d6ad9 Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p= squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123 Fix potential stack overflow in get_component() where an individual pathname component in an extract file (specified on the command line or in an extract file) could exceed the 1024 byte sized targname allocated on the stack. Fix by dynamically allocating targname rather than storing it as a fixed size on the stack. [YOCTO #3513] Fixes denzil [YOCTO #3520] Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> 
Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123

Fix potential stack overflow in get_component() where an individual
pathname component in an extract file (specified on the command line
or in an extract file) could exceed the 1024 byte sized targname
allocated on the stack.

Fix by dynamically allocating targname rather than storing it as
a fixed size on the stack.

[YOCTO #3513]

Fixes denzil [YOCTO #3520]

Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
OECore license fixes: meta/* 2011-12-08T15:23:49+00:00 Elizabeth Flanagan elizabeth.flanagan@intel.com 2011-12-03T23:48:29+00:00 3083dd70b3a9fa01fcc3cf00373b05502505996e This is a quick audit of only the most obviously wrong licenses found within OECore. These fixes fall into four areas: - LICENSE field had incorrect format so that the parser choked - LICENSE field has a license with no version - LICENSE field was actually incorrect - LICENSE field has an imaginary license that didn't exist This fixes most of the LICENSE warnings thrown, along with my prior commit adding additional licenses to common-licenses and additional SPDXLICENSEMAP entries. HOWEVER..... there is much to be done on the license front. For a list of recipes with licenses that need obvious fixing see: https://wiki.yoctoproject.org/wiki/License_Audit That said, I would suggest another license audit as I've found enough inconsistencies. A good suggestion is when in doubt, look at how openSuse or Gentoo or Debian license the package. Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com> 
This is a quick audit of only the most obviously wrong licenses
found within OECore. These fixes fall into four areas:

- LICENSE field had incorrect format so that the parser choked
- LICENSE field has a license with no version
- LICENSE field was actually incorrect
- LICENSE field has an imaginary license that didn't exist

This fixes most of the LICENSE warnings thrown, along with my prior
commit adding additional licenses to common-licenses and additional
SPDXLICENSEMAP entries.

HOWEVER..... there is much to be done on the license front.
For a list of recipes with licenses that need obvious fixing see:

https://wiki.yoctoproject.org/wiki/License_Audit

That said, I would suggest another license audit as I've found
enough inconsistencies. A good suggestion is when in doubt, look at
how openSuse or Gentoo or Debian license the package.

Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com>
squashfs-tools: fix PR, those should start with 'r' 2011-11-30T23:37:40+00:00 Martin Jansa martin.jansa@gmail.com 2011-11-30T22:57:00+00:00 f4efaa0f472b4bf0ba0a0297cc9ecc8b5a671f72 Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
squashfs-tools: add recipe 2011-10-24T13:28:18+00:00 Cliff Brake cbrake@bec-systems.com 2011-10-21T16:39:47+00:00 0de2d328075587b04fd0db01a98e6e720d792b1b added xz compression option, general cleanup 
added xz compression option, general cleanup